NGFW - what are the advantages of the next generation firewalls?

The term ‘Next-Generation Firewall (NGFW)’ was invented by Gartner Research analysts and means using the third-generation network firewall technologies in devices. The solutions are based on previous-generation firewalls, the functionality of which was limited only to simple checks and blocking ports/protocols, when necessary. However, since an increasing number of enterprises are now using online applications and SaaS services, simple port and protocol control is not enough to ensure effective network security. In contrast, new devices have added seamless integration of additional features, such as built-in deep packet inspection (DPI), intrusion prevention system (IPS), and application-level traffic checking (Web Application Firewall). Some NGFW’s also include the checking of encrypted TLS / SSL traffic, web site filtering, bandwidth control and QoS, anti-virus scanning and integration with third-party identity management systems such as LDAP, RADIUS and Active Directory.

Next-generation firewalls are currently categorized as advanced solutions. However, the ongoing massive transition of existing IT systems are publicly available to IaaS cloud platforms, such as Amazon Web Services, Microsoft Azure and Google Cloud Platform resulting in an increasing complexity of hybrid network architectures. This becomes the driving force for further expansion of new-generation firewall capabilities which includes providing advanced traffic management, optimization of WAN, quality of service and transparent integration of the cloud platform.

How the Next-Generation Firewall works. Source: Palo Alto Networks

It is worth noting that NGFW provides many tools for automated protection against cyber threats in social networks. As part of anti-phishing protection, these systems can check URLs that are received by company employees and block them if they lead to malicious sites. In addition, NGFW can also analyse attachments that are sent through messages on social networks and prohibit them access if they contain malicious codes.

Below you can see a brief description of the most popular products in the NGFW segment. More detailed information about the products can be found in the comparison table for NG Firewall at ROI4CIO. It is based on a comparison of leaders (according to Gartner research results).

Barracuda

Barracuda CloudGen Firewall is a family of physical, virtual and cloud devices that are designed to protect the infrastructure of a distributed enterprise network. These types of devices provide enhanced security because they contain the full range of NGFW technologies, including profiling of Level 7 applications, intrusion prevention, web filtering, protection against malware and threats, protection against spam and access control to the network.

Barracuda cloud firewalls are best suited for enterprises with multiple branches, managed service providers and other organizations with a complex distributed network infrastructure.

For an immediate response to threats, Barracuda provides Advanced Threat Protection, an integrated cloud service that analyses traffic across all major threat vectors.

Barracuda Advanced Threat Protection provides protection for the company's infrastructure as well as the ability to detect and block new complex threats without compromising network performance and bandwidth. Advanced Threat Protection is available for all Barracuda CloudGen firewall models.

Some of the main advantages of the Barracuda CloudGen products are as follows:

Palo Alto Networks

Palo Alto Networks Next-generation firewalls detect both known and unknown threats (including encrypted traffic) by using data from several thousand installed devices. This approach allows Palo Alto Networks products to prevent a wide range of attacks. For example, these firewalls allow users to access data and applications based on business requirements, as well as preventing identity theft and prohibiting hackers from using stolen information.

With the help of Palo Alto Networks’ NGFW, enterprises can quickly create security rules which comply with their business policies and are easy to maintain and adapt to their dynamic environment. They reduce response time through policy-based automatic response. At the same time, IT department can quickly automate workflow by integrating with administrative tools such as ticket creation services or any other system with a RESTful API.

Palo Alto Networks NGFW are supplied both as virtual and hardware devices. For example, the VM series protects private and public cloud environments, providing access to applications and preventing threats. Traffic is classified on the basis of applications, not ports, which gives a detailed view of the threats.

Palo Alto Networks also supplies a wide range of NGFW hardware — from the compact PA-200 model to the super powerful PA-7000 enterprise level system. The PA-200 is a next-generation firewall in a small form factor that protects networks by blocking a wide range of cyber threats and at the same time ensuring the safe inclusion of applications.

SonicWall

SonicWall offers its customers protection of public, private or hybrid cloud environments using virtualized versions of new-generation firewalls. SonicWall solutions simplify administration with a common management system for virtual and physical infrastructure.

The SonicWall Network Security (NSA) device series provide medium and large-sized companies with a set of advanced threat prevention features. The NSA series provides automated detection and blocking of attacks in real time through innovative deep learning technologies in the SonicWall Capture cloud platform.

NSA Series are distinguished by two basic security technologies that provide a reliable barrier against cyber attacks. Enhanced Advanced Threat Protection (ATP) multiprocessing service is a SonicWall's proprietary Real-Time Deep Memory Inspection Technology (RTDMI). The RTDMI mechanism actively detects and blocks mass and zero-day threats, as well as unknown malware by checking its memory. Thanks to the real-time architecture, SonicWall RTDMI technology minimizes false positives and also detects and mitigates sophisticated attacks when a malware attack takes less than 100 nanoseconds. Furthermore, SonicWall's patented single-pass packet inspection (RFDPI) engine scans every byte of incoming and outgoing traffic. In addition to the built-in capabilities, the use of the SonicWall Capture cloud platform in the NSA series, including intrusion protection, malware, and web/URL filtering, allows you to block even the most dangerous and insidious threats at the gateway.

Additionally, SonicWall NGFW firewalls provide an additional level of security by performing full decryption and verification of encrypted TLS / SSL and SSH connections regardless of port or protocol. The firewall scrutinizes every packet (header and data) for protocol inconsistencies, threats, zero days, intruders and even certain specific criteria. The deep packet inspection mechanism detects and prevents hidden attacks that use cryptography, blocks encrypted malware downloads, stops the spread of viruses and prevents the exchange of data between the affected computer and the control centre. Inclusion and exclusion rules allow full control over which traffic is subject to decryption and inspection based on specific organizational requirements and/or legal requirements.

When enterprises activate deep packet inspection functions in their firewalls, such as IPS, antivirus, antispyware software, TLS / SSL decryption/verification and others, network performance usually decreases, sometimes quite drastically. However, the firewalls of the NSA series are built on multi-core architecture which uses specialized microprocessors. Combined with RTDMI and RFDPI modules, this architecture eliminates the decline of the network systems performance.

Check Point

Today, employees use more applications than ever in their everyday work. This means that if the information security department does not have a specialized means of protection, it has to implement a variety of measures to ensure an adequate level of security. Check Point Next Generation Firewall provides the industry’s largest application coverage — over 8,000 applications and 260,000 social networking widgets. Administrators can create detailed security policies based on users or groups to identify, block or restrict the use of web applications and widgets, such as instant messaging, social media posting, video streaming, VoIP, games, etc.

Seamless integration with leading Identity and Access Management (IAM) systems vendors, such as Microsoft Active Directory, ensures detailed user identification, which can be obtained through:

integration with IAM or web API providers;

through the portal;

by installing a one-time thin agent on the client side.

For quick analysis of security event data, the developer integrated SmartLog, an advanced log analyser that provides search results in a fraction of a second. Thus, the department is notified of threats for many millions of log entries in real time.

Check Point's unified security management simplifies the monumental task of managing a company's security environment. The information security department will see and monitor threats, devices and users using an intuitive graphical interface that provides diagrams and reports on the status of the security system.

Check Point NGFW contains IPS Software Blade, which protects corporate networks by inspecting packets passing through a gateway. It is a full-featured IPS providing reliable protection against intrusions and frequent automatic updates of the threat definition database. Since IPS is part of an integrated software blade architecture, the customer receives all the benefits of deploying and managing a unified and extensible solution.

Cisco ASA NGFW

Cisco's next-generation firewalls simultaneously offer a range of unique technologies. First of all, we should mention the Talos service provided by a team of over 250 researchers who analyse millions of threats on a daily basis and create the tools that Cisco NGFW uses to protect against the next large-scale attack. Remember the WannaCry, NotPetya, VPNFilter epidemics? Talos stopped these mega attacks (along with many others) before they reached their goal, so Cisco NGFW clients automatically received protection.

Cisco NGFWs use built-in advanced security features such as next-generation IPS systems, advanced malware protection and a sandbox to analyse users, hosts, networks and infrastructure. They constantly monitor suspicious activity and automatically block it upon finding any.

One more important point which should be mentioned is that Cisco NGFW automates work of a corporate network and security systems, and this allows information security departments to save time and focus on more pressing tasks. Threat alerts are ranked by importance, so you can stop “shooting at random” and focus on the most important areas. Cisco NGFW works together with the rest of Cisco's integrated security tools, which allows it to provide information on all attack directions in a timely manner. When this system detects a threat, it automatically blocks it everywhere.

Summary: 5 tips for choosing NGFW products

1. The firewall task No. 1 is to prevent attacks and ensure the security of the customer’s company. But since preventive measures will never be 100% effective, the NGFW should also offer advanced features for the prompt detection of advanced malware. Therefore, you should choose a product with the following features:

blocking threats before they get inside the network;

next-generation high-quality IPS system integrated into the firewall in order to detect hidden threats and quickly neutralize them;

URL filtering to comply with policies at hundreds of millions of URLs;

The next generation firewall should not be an isolated tool: it should exchange information and work with the rest of the security architecture. Therefore, choose a product that meets the following requirements: